- A violation has affected thousands of Carolina anesthesiology PA patients
- Sensitive health information and patient data were postponed
- This leaves anyone who is affected at risk of identity theft or social engineering
Security researcher Jeremiah Fowler has discovered a non -password -protected database, which is believed to be owned by Carolina Anesthesiology PA – a health company based on North Carolina. This data set contained 21,344 records, was almost 7 GB and spans several states.
The information contained sensitive data, including patient information such as names, physical addresses, telephone numbers and E email addresses, as well as details of insurance coverage, anesthetic summary, diagnoses, family medical stories and doctors notice. According to the researcher, there were files marked ‘invoicing and compliance reports’ which give an idea of the included type of data.
Although there is no evidence so far to suggest that the database fell into malicious hands, the potential compromise on the unprotected database could put many at risk of social technical attacks such as phishing, identity theft or fraud.
Database on show
The researcher outlines that the data set contained a “detailed analysis and key metrics related to medical invoicing and healthcare provided” – but that the health company, when contacted, indicated that it did not own or manage the database, but that the owner has been notified and public access limited.
It is not clear whether the information was accessed by a threat actor or third party, as only an internal revision would show this – and as far as we know, the information has not appeared on any dark sites for the sale of cyber criminals. Examination of the researcher indicates that this folder content was probably associated with the ATRIUM Health – a partner for Carolina Anesthesiology Pa.
“Our Cyber Security Team immediately launched an internal survey after receiving an email tip in mid-February 2025 on a possible data violation. Our study found that Carolina anesthesiology, PA, which regularly provides anesthesia services at selected facilities, incorrectly configured the technology service used for billing data, and exposed some of their patient data, ”said atrium Health in response to the infringement.
“We immediately close all the data foreds to Carolina -Anesthesiology and, as courtesy, informed the regular government units. We continue to learn more from Carolina Anesthesiological Team about their plan to notify their patients of this breach.
